2

On an EC2 instance, you can configure a security group to have what seem to be the same as firewall rules (e.g. default drop all traffic with selectively allowing port based, inbound or outbound traffic). Previously I've used other services such as DigitalOcean and I just add some rules to the firewall (e.g. UFW) once I'm logged into the instance.

With an EC2 instance should I only configure firewall rules via security groups and not touch firewall software running on the instance (e.g. once I log into the system, not configure ufw or iptables)?

I want to make sure that I've got this set up correctly, and that I'm not accidently forcing traffic through 2 sets of firewall rules if both security groups and a host based firewall is being used.

My hunch is that either approach, or a combination of both could work (and this would be fine as long as there aren't duplicate rules). Is this right? If possible I would like to simply use security groups.

ChristianF
  • 175
  • 1
  • 1
  • 8
  • 1
    Your understanding is correct. It’s your choice. One limitation of security groups on an instance is that you can’t add deny rules. – Appleoddity May 02 '18 at 18:31

1 Answers1

3

You can use as many of or as few of the available firewalls as you like. Defense in depth suggests that more than one layer can increase security.

Here's what each is, to the best of my knowledge:

  • Network ACLs (NACLs) are the most like a traditional firewall. You have to define incoming and outgoing rules separately. I suspect that NACLs are not run on the instance, but are a device on the network somewhere. If this is correct using a NACL to reject significant amounts of traffic might slightly increase instance performance, as the security groups and IPTables doesn't have to use CPU time to do it.
  • Security Groups are a stateful firewall. If you allow incoming traffic outgoing responses are allowed automatically, and vice versa. SGs are run in the hypervisor on each server.
  • IPTables and such are (I think) stateless, so you define the rules in each direction. These run inside the operating system on your instance.

Personally I use security groups as my primary firewall as they're easiest to set up and use. I also have fail2ban putting rules into the CloudFlare firewall to prevent bad IPs accessing the server, using this setup.

Prithvi Boinpally
  • 103
  • 4
Tim
  • 31,888
  • 7
  • 52
  • 78
  • Great! I was wondering if security groups were stateful - thanks for that. – ChristianF May 02 '18 at 21:04
  • The AWS documentation is excellent, very comprehensive, particularly for basics. The really advanced stuff starts to get a bit more difficult to find. – Tim May 03 '18 at 00:10